app/Support/System/OAuthKeys.php

<?php

/**
 * OAuthKeys.php
 * Copyright (c) 2020 james@firefly-iii.org
 *
 * This file is part of Firefly III (https://github.com/firefly-iii).
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

declare(strict_types=1);

namespace FireflyIII\Support\System;

use FireflyIII\Exceptions\FireflyException;
use FireflyIII\Support\Facades\FireflyConfig;
use Illuminate\Contracts\Encryption\DecryptException;
use Illuminate\Support\Facades\Artisan;
use Illuminate\Support\Facades\Crypt;
use Illuminate\Support\Facades\Log;
use Laravel\Passport\Console\KeysCommand;
use Psr\Container\ContainerExceptionInterface;
use Psr\Container\NotFoundExceptionInterface;
use Safe\Exceptions\FilesystemException;

use function Safe\file_get_contents;
use function Safe\file_put_contents;

/**
 * Class OAuthKeys
 */
class OAuthKeys
{
    private const string PRIVATE_KEY = 'oauth_private_key';
    private const string PUBLIC_KEY  = 'oauth_public_key';

    public static function generateKeys(): void
    {
        Log::debug('Will now run generateKeys()');
        Artisan::registerCommand(new KeysCommand());
        Artisan::call('firefly-iii:laravel-passport-keys');
        Log::debug('Done with generateKeys()');
    }

    public static function hasKeyFiles(): bool
    {
        Log::debug('hasKeyFiles()');
        $private       = storage_path('oauth-private.key');
        $public        = storage_path('oauth-public.key');
        $privateExists = file_exists($private);
        $publicExists  = file_exists($public);

        Log::debug(sprintf('Private key file at "%s" exists? %s', $private, var_export($privateExists, true)));
        Log::debug(sprintf('Public key file at "%s" exists ? %s', $public, var_export($publicExists, true)));

        $result        = file_exists($private) && file_exists($public);
        Log::debug(sprintf('Method will return %s', var_export($result, true)));

        return $result;
    }

    public static function keysInDatabase(): bool
    {
        $privateKey = '';
        $publicKey  = '';
        // better check if keys are in the database:
        $hasPrivate = FireflyConfig::has(self::PRIVATE_KEY);
        $hasPublic  = FireflyConfig::has(self::PUBLIC_KEY);

        Log::debug(sprintf('keysInDatabase: hasPrivate:%s, hasPublic:%s', var_export($hasPrivate, true), var_export($hasPublic, true)));

        if ($hasPrivate && $hasPublic) {
            try {
                $privateKey = trim((string)FireflyConfig::get(self::PRIVATE_KEY)?->data);
                $publicKey  = trim((string)FireflyConfig::get(self::PUBLIC_KEY)?->data);
            } catch (ContainerExceptionInterface|FireflyException|NotFoundExceptionInterface $e) {
                Log::error(sprintf('Could not validate keysInDatabase(): %s', $e->getMessage()));
                Log::error($e->getTraceAsString());
            }
        }
        if ('' === $privateKey) {
            Log::warning('Private key in DB is unexpectedly an empty string.');
        }
        if ('' === $publicKey) {
            Log::warning('Public key in DB is unexpectedly an empty string.');
        }
        if ('' !== $privateKey) {
            Log::debug(sprintf('SHA2 hash of private key in DB: %s', hash('sha256', $privateKey)));
        }
        if ('' !== $publicKey) {
            Log::debug(sprintf('SHA2 hash of public key in DB : %s', hash('sha256', $publicKey)));
        }
        $return     = '' !== $privateKey && '' !== $publicKey;
        Log::debug(sprintf('keysInDatabase will return %s', var_export($return, true)));

        return $return;
    }

    /**
     * @throws ContainerExceptionInterface
     * @throws FireflyException
     * @throws NotFoundExceptionInterface
     * @throws FilesystemException
     */
    public static function restoreKeysFromDB(): bool
    {
        Log::debug('restoreKeysFromDB()');
        $privateKey = (string)FireflyConfig::get(self::PRIVATE_KEY)?->data;
        $publicKey  = (string)FireflyConfig::get(self::PUBLIC_KEY)?->data;

        if ('' === $privateKey) {
            Log::warning('Private key is not in the database.');
        }
        if ('' === $publicKey) {
            Log::warning('Public key is not in the database.');
        }

        try {
            $privateContent = trim(Crypt::decrypt($privateKey));
            $publicContent  = trim(Crypt::decrypt($publicKey));
        } catch (DecryptException $e) {
            Log::error('Could not decrypt pub/private keypair.');
            Log::error($e->getMessage());

            // delete config vars from DB:
            FireflyConfig::delete(self::PRIVATE_KEY);
            FireflyConfig::delete(self::PUBLIC_KEY);
            Log::debug('Done with generateKeysFromDB(), return FALSE');

            return false;
        }
        $private    = storage_path('oauth-private.key');
        $public     = storage_path('oauth-public.key');
        file_put_contents($private, $privateContent);
        file_put_contents($public, $publicContent);

        Log::debug(sprintf('Will store private key with hash "%s" in file "%s"', hash('sha256', $privateContent), $private));
        Log::debug(sprintf('Will store public key with hash "%s" in file "%s"', hash('sha256', $publicContent), $public));
        Log::debug('Done with generateKeysFromDB()');

        return true;
    }

    public static function storeKeysInDB(): void
    {
        $private        = storage_path('oauth-private.key');
        $public         = storage_path('oauth-public.key');
        $privateContent = file_get_contents($private);
        $publicContent  = file_get_contents($public);
        FireflyConfig::set(self::PRIVATE_KEY, Crypt::encrypt($privateContent));
        FireflyConfig::set(self::PUBLIC_KEY, Crypt::encrypt($publicContent));

        Log::debug(sprintf('Will store the content of file "%s" as "%s" in the database (hash: %s)', $private, self::PRIVATE_KEY, hash('sha256', $privateContent)));
        Log::debug(sprintf('Will store the content of file "%s" as "%s" in the database (hash: %s)', $public, self::PUBLIC_KEY, hash('sha256', $publicContent)));
    }

    public static function verifyKeysRoutine(): void
    {
        if (!self::keysInDatabase() && !self::hasKeyFiles()) {
            self::generateKeys();
            self::storeKeysInDB();

            return;
        }
        if (self::keysInDatabase() && !self::hasKeyFiles()) {
            self::restoreKeysFromDB();

            return;
        }
        if (!self::keysInDatabase() && self::hasKeyFiles()) {
            self::storeKeysInDB();
        }
    }
}
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`<?php`
Update copyrights. 2020-06-30 19:05:35 +02:00
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`/**`
			`* OAuthKeys.php`
Update copyrights. 2020-06-30 19:05:35 +02:00			`* Copyright (c) 2020 james@firefly-iii.org`
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`*`
			`* This file is part of Firefly III (https://github.com/firefly-iii).`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
			`* along with this program. If not, see <https://www.gnu.org/licenses/>.`
			`*/`

Update copyrights. 2020-06-30 19:05:35 +02:00			`declare(strict_types=1);`

Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`namespace FireflyIII\Support\System;`

Validate key existence more strictly. 2021-12-02 18:14:43 +01:00			`use FireflyIII\Exceptions\FireflyException;`
Remove some debug logging, use Facade. 2025-10-08 06:31:47 +02:00			`use FireflyIII\Support\Facades\FireflyConfig;`
Better catch for key restauration problems. 2021-12-21 16:35:28 +01:00			`use Illuminate\Contracts\Encryption\DecryptException;`
Replace magic facades 2025-05-24 17:15:46 +02:00			`use Illuminate\Support\Facades\Artisan;`
Add imports for facades 2025-02-23 12:47:04 +01:00			`use Illuminate\Support\Facades\Crypt;`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`use Illuminate\Support\Facades\Log;`
chore: code cleanup. 2023-05-29 13:56:55 +02:00			`use Laravel\Passport\Console\KeysCommand;`
Validate key existence more strictly. 2021-12-02 18:14:43 +01:00			`use Psr\Container\ContainerExceptionInterface;`
			`use Psr\Container\NotFoundExceptionInterface;`
Various code cleanup. 2025-10-05 12:57:58 +02:00			`use Safe\Exceptions\FilesystemException;`
🤖 Auto commit for release 'develop' on 2026-01-17 2026-01-17 16:11:09 +01:00
Fix various code. 2025-05-27 17:06:15 +02:00			`use function Safe\file_get_contents;`
			`use function Safe\file_put_contents;`

Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`/**`
			`* Class OAuthKeys`
			`*/`
			`class OAuthKeys`
			`{`
Add some PHP 8.3-only features. 2023-12-02 12:56:48 +01:00			`private const string PRIVATE_KEY = 'oauth_private_key';`
			`private const string PUBLIC_KEY = 'oauth_public_key';`
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00
Optimize queries for statistics. 2025-09-26 06:05:37 +02:00			`public static function generateKeys(): void`
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`{`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`Log::debug('Will now run generateKeys()');`
Optimize queries for statistics. 2025-09-26 06:05:37 +02:00			`Artisan::registerCommand(new KeysCommand());`
			`Artisan::call('firefly-iii:laravel-passport-keys');`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`Log::debug('Done with generateKeys()');`
Optimize queries for statistics. 2025-09-26 06:05:37 +02:00			`}`
Code cleanup 2021-03-21 09:15:40 +01:00
Optimize queries for statistics. 2025-09-26 06:05:37 +02:00			`public static function hasKeyFiles(): bool`
			`{`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`Log::debug('hasKeyFiles()');`
			`$private = storage_path('oauth-private.key');`
			`$public = storage_path('oauth-public.key');`
			`$privateExists = file_exists($private);`
			`$publicExists = file_exists($public);`

			`Log::debug(sprintf('Private key file at "%s" exists? %s', $private, var_export($privateExists, true)));`
			`Log::debug(sprintf('Public key file at "%s" exists ? %s', $public, var_export($publicExists, true)));`

🤖 Auto commit for release 'develop' on 2026-01-17 2026-01-17 16:11:09 +01:00			`$result = file_exists($private) && file_exists($public);`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`Log::debug(sprintf('Method will return %s', var_export($result, true)));`
🤖 Auto commit for release 'develop' on 2026-01-17 2026-01-17 16:11:09 +01:00
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`return $result;`
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`}`

Code cleanup 2021-03-21 09:15:40 +01:00			`public static function keysInDatabase(): bool`
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`{`
Validate key existence more strictly. 2021-12-02 18:14:43 +01:00			`$privateKey = '';`
			`$publicKey = '';`
			`// better check if keys are in the database:`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`$hasPrivate = FireflyConfig::has(self::PRIVATE_KEY);`
			`$hasPublic = FireflyConfig::has(self::PUBLIC_KEY);`

			`Log::debug(sprintf('keysInDatabase: hasPrivate:%s, hasPublic:%s', var_export($hasPrivate, true), var_export($hasPublic, true)));`

			`if ($hasPrivate && $hasPublic) {`
Validate key existence more strictly. 2021-12-02 18:14:43 +01:00			`try {`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`$privateKey = trim((string)FireflyConfig::get(self::PRIVATE_KEY)?->data);`
			`$publicKey = trim((string)FireflyConfig::get(self::PUBLIC_KEY)?->data);`
🤖 Auto commit for release 'develop' on 2026-01-17 2026-01-17 16:11:09 +01:00			`} catch (ContainerExceptionInterface\|FireflyException\|NotFoundExceptionInterface $e) {`
Fix code quality with rector [skip ci] 2025-11-09 09:08:03 +01:00			`Log::error(sprintf('Could not validate keysInDatabase(): %s', $e->getMessage()));`
			`Log::error($e->getTraceAsString());`
Validate key existence more strictly. 2021-12-02 18:14:43 +01:00			`}`
			`}`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`if ('' === $privateKey) {`
			`Log::warning('Private key in DB is unexpectedly an empty string.');`
			`}`
			`if ('' === $publicKey) {`
			`Log::warning('Public key in DB is unexpectedly an empty string.');`
			`}`
			`if ('' !== $privateKey) {`
			`Log::debug(sprintf('SHA2 hash of private key in DB: %s', hash('sha256', $privateKey)));`
			`}`
			`if ('' !== $publicKey) {`
			`Log::debug(sprintf('SHA2 hash of public key in DB : %s', hash('sha256', $publicKey)));`
			`}`
🤖 Auto commit for release 'develop' on 2026-01-17 2026-01-17 16:11:09 +01:00			`$return = '' !== $privateKey && '' !== $publicKey;`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`Log::debug(sprintf('keysInDatabase will return %s', var_export($return, true)));`
🤖 Auto commit for release 'develop' on 2025-11-09 2025-11-09 09:11:55 +01:00
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`return $return;`
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`}`

			`/**`
Various code cleanup. 2025-10-05 12:57:58 +02:00			`* @throws ContainerExceptionInterface`
Reformat various code. 2022-03-29 15:10:05 +02:00			`* @throws FireflyException`
Various code cleanup. 2025-10-05 12:57:58 +02:00			`* @throws NotFoundExceptionInterface`
			`* @throws FilesystemException`
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`*/`
Better catch for key restauration problems. 2021-12-21 16:35:28 +01:00			`public static function restoreKeysFromDB(): bool`
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`{`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`Log::debug('restoreKeysFromDB()');`
Remove some debug logging, use Facade. 2025-10-08 06:31:47 +02:00			`$privateKey = (string)FireflyConfig::get(self::PRIVATE_KEY)?->data;`
			`$publicKey = (string)FireflyConfig::get(self::PUBLIC_KEY)?->data;`
Code cleanup. 2023-12-20 19:35:52 +01:00
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`if ('' === $privateKey) {`
			`Log::warning('Private key is not in the database.');`
			`}`
			`if ('' === $publicKey) {`
			`Log::warning('Public key is not in the database.');`
			`}`

Better catch for key restauration problems. 2021-12-21 16:35:28 +01:00			`try {`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`$privateContent = trim(Crypt::decrypt($privateKey));`
			`$publicContent = trim(Crypt::decrypt($publicKey));`
Reformat various code. 2022-03-29 15:00:29 +02:00			`} catch (DecryptException $e) {`
Fix code quality with rector [skip ci] 2025-11-09 09:08:03 +01:00			`Log::error('Could not decrypt pub/private keypair.');`
			`Log::error($e->getMessage());`
Better catch for key restauration problems. 2021-12-21 16:35:28 +01:00
			`// delete config vars from DB:`
Remove some debug logging, use Facade. 2025-10-08 06:31:47 +02:00			`FireflyConfig::delete(self::PRIVATE_KEY);`
			`FireflyConfig::delete(self::PUBLIC_KEY);`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`Log::debug('Done with generateKeysFromDB(), return FALSE');`
🤖 Auto commit for release 'develop' on 2026-01-17 2026-01-17 16:11:09 +01:00
Better catch for key restauration problems. 2021-12-21 16:35:28 +01:00			`return false;`
			`}`
🤖 Auto commit for release 'develop' on 2026-01-17 2026-01-17 16:11:09 +01:00			`$private = storage_path('oauth-private.key');`
			`$public = storage_path('oauth-public.key');`
Fix various code. 2025-05-27 17:06:15 +02:00			`file_put_contents($private, $privateContent);`
			`file_put_contents($public, $publicContent);`
Code cleanup. 2023-12-20 19:35:52 +01:00
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`Log::debug(sprintf('Will store private key with hash "%s" in file "%s"', hash('sha256', $privateContent), $private));`
			`Log::debug(sprintf('Will store public key with hash "%s" in file "%s"', hash('sha256', $publicContent), $public));`
			`Log::debug('Done with generateKeysFromDB()');`

Better catch for key restauration problems. 2021-12-21 16:35:28 +01:00			`return true;`
Always verify keys, should also help with Heroku instances. 2019-10-19 09:37:35 +02:00			`}`
Optimize queries for statistics. 2025-09-26 06:05:37 +02:00
			`public static function storeKeysInDB(): void`
			`{`
Fix https://github.com/orgs/firefly-iii/discussions/11538 2026-01-17 16:02:59 +01:00			`$private = storage_path('oauth-private.key');`
			`$public = storage_path('oauth-public.key');`
			`$privateContent = file_get_contents($private);`
			`$publicContent = file_get_contents($public);`
			`FireflyConfig::set(self::PRIVATE_KEY, Crypt::encrypt($privateContent));`
			`FireflyConfig::set(self::PUBLIC_KEY, Crypt::encrypt($publicContent));`

			`Log::debug(sprintf('Will store the content of file "%s" as "%s" in the database (hash: %s)', $private, self::PRIVATE_KEY, hash('sha256', $privateContent)));`
			`Log::debug(sprintf('Will store the content of file "%s" as "%s" in the database (hash: %s)', $public, self::PUBLIC_KEY, hash('sha256', $publicContent)));`
Optimize queries for statistics. 2025-09-26 06:05:37 +02:00			`}`

			`public static function verifyKeysRoutine(): void`
			`{`
			`if (!self::keysInDatabase() && !self::hasKeyFiles()) {`
			`self::generateKeys();`
			`self::storeKeysInDB();`

			`return;`
			`}`
			`if (self::keysInDatabase() && !self::hasKeyFiles()) {`
			`self::restoreKeysFromDB();`

			`return;`
			`}`
			`if (!self::keysInDatabase() && self::hasKeyFiles()) {`
			`self::storeKeysInDB();`
			`}`
			`}`
Add newlines and remove some unused translations. 2020-05-30 07:33:06 +02:00			`}`